This China-linked espionage group keeps trying to hack the Cambodian government

Rancor has tried to break into the network of an unnamed Cambodian government organization and deploy their custom malware.

There is no shortage of malware that government-backed hackers can get from the public domain, saving them the trouble of developing their own code. But to meet their intelligence-gathering needs, plenty of groups still roll up their sleeves and build their own kits.

A Chinese espionage outfit known as Rancor has been particularly active on that front. New findings from Palo Alto Networks’ Unit 42 research unit, shared exclusively with CyberScoop, show how, over the past year, the group has tried to break into the network of an unnamed Cambodian government organization and deploy their custom malware.

First, the group laced a Microsoft Excel document with previously undocumented malware in an attempted breach of the Cambodian organization in December 2018 and January 2019, Unit 42 said. When that didn’t work, Rancor packed a computer script with a bunch of potentially infectious code, Unit 42 researchers discovered in July.

The research shows the lengths to which well-resourced groups will go to develop their own hacking tools. Since Rancor’s emergence in 2017, “the only tools we’ve seen them use are all custom” — either unique to Rancor or to a small cluster of Chinese espionage groups, said Jen Miller-Osborn, Unit 42’s deputy director of threat intelligence.


“They have whatever their target list is and, if they aren’t currently in them, they have spent the entire year trying to ensure that they have access to these organizations,” Miller-Osborn told CyberScoop.

The prolific malware development is consistent with a group that is dead-set on getting into their target networks. But ironically, Unit 42 said, none of the attacks on the Cambodian government organization appear to have been successful; the target has blocked the malware at each turn.

Miller-Osborn declined to name the Cambodian government organization, but did say it “is exactly who you would expect an espionage-based group to target.” And given Rancor’s persistence to date, she expects the group to continue to try to breach the Cambodian organization.

Other researchers have taken note of Rancor’s activity in Southeast Asia, which has also included hacking attempts in Singapore. In October, cybersecurity company Check Point said that the group had targeted five unnamed government agencies in the region.

The Chinese government has looked to project its military and economic power throughout Southeast Asia, often clashing with U.S. interests. In Cambodia, the Chinese military has reportedly struck an agreement to use a naval base, while Chinese companies have invested billions of dollars in the country.


With those interests at stake, any number of Cambodian government organizations could make an attractive target for Chinese hackers. Ahead of the July 2018 general election in Cambodia, China-linked hackers breached the networks of the opposition political party.

“It’s not surprising that China is covering all of its bases and wanting to understand what’s happening inside Cambodia, inside government ministries [there],” said Brian Harding, deputy director of the Southeast Asia Program at the Center for Strategic and International Studies.

The Chinese government has been trying to use Cambodia to drive a wedge in the Association of Southeast Asian Nations, a bloc that deals with regional security issues, Harding said. “The China-Cambodia relationship is particularly important for China.”

A spokesperson at the Chinese Embassy in Washington, D.C., did not respond to a request for comment on the new research.

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts